Weird problems with https.*() functions

[odnamrataizem]

I have a Liquidsoap script that makes use of the https.*() functions, which seem to fail strangely depending on the URL -- in fact, it always seems to reject the SSL connection at least on interactive mode, and even then, it may still end up working. Also, when it does return error, the error description isn't as informative as I hoped it to be.

This returns error:

# https.get("https://www.google.com/");;
Certificate[2] subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Certificate[2] issuer =/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
SSL: rejecting connection - error=20
- : ((((string*int)*string)*[(string*string)])*string) = (((("Internal error",999),"Internal error"),[]),"Error while processing request: Ssl.Read_error(5)")

This does too, albeit a different one:

# https.get("https://i.kantorad.io/");;
- : ((((string*int)*string)*[(string*string)])*string) = (((("Internal error",999),"Internal error"),[]),"Error while processing request: Ssl.Connection_error(1)")

While this works despite "rejecting connection":

# https.get("https://www.facebook.com/");;
Certificate[1] subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Certificate[1] issuer =/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
SSL: rejecting connection - error=20
- : ((((string*int)*string)*[(string*string)])*string) = (((("HTTP/1.1",200),"OK"),[("x-xss-protection","0"), ...]),"<!DOCTYPE html>...")

All the URLs above can be cURL'd normally, which I'm currently using as a workaround.

That said, I reckon I might be missing something here, as I don't do OCaml to investigate further :(

Liquidsoap 1.3.0, Ubuntu 16.04.2.

[toots]

Hi,

SSL certificates are validated using the underlying openssl library. There must be something in your setup that does not work or is not configured correctly..

[toots]

Actually, I can reproduce that.. Hmm..

[toots]

Okay, further testings also shows an error when fetching https://www.google.com with osx-secure-transport enabled so this ought not to be openssl-related.

openssl-based https.get also works with many other URLs, include this PR :-)

I'm assuming that the SSL: rejecting connection - error=20 is a fluke while establishing the correct SSL connection. Remember that some ciphers have recently been deactivated etc..

I'm also assuming that google has some kind of protection on its https://www.google.com endpoint which isn't present with http://www.google.com or even:

# https.get("https://google.com");;
Certificate[2] subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Certificate[2] issuer =/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
SSL: rejecting connection - error=20
- : ((((string*int)*string)*[(string*string)])*string) = (((("HTTP/1.0",301),"Moved Permanently"),[("location","https://www.google.com/"), ("content-type","text/html; charset=UTF-8"), ("date","Wed, 02 Aug 2017 15:17:07 GMT"), ("expires","Fri, 01 Sep 2017 15:17:07 GMT"), ("cache-control","public, max-age=2592000"), ("server","gws"), ("content-length","220"), ("x-xss-protection","1; mode=block"), ("x-frame-options","SAMEORIGIN"), ("alt-svc","quic=\":443\"; ma=2592000; v=\"39,38,37,36,35\"")]),"<HTML><HEAD><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\">\n<TITLE>301 Moved</TITLE></HEAD><BODY>\n<H1>301 Moved</H1>\nThe document has moved\n<A HREF=\"https://www.google.com/\">here</A>.\r\n</BODY></HTML>")

Thus, closing this one. Please reopen if needed.

[mcfiredrill]

Hi, I'm seeing the same errors. I tried on several URLs including google. Can this issue be reopened?

let (status, headers, data) = https.get("https://streampusher.com")
log("status: #{status}")
log("headers: #{headers}")
log("data: #{data}")

$ liquidsoap http_test.liq
Certificate[1] subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Certificate[1] issuer =/O=Digital Signature Trust Co./CN=DST Root CA X3
SSL: rejecting connection - error=20
No output defined, nothing to do.

[smimram]

It seems that it actually works if you add

output.dummy(blank())

after that. The error message does not prevent the function from running, the error is due to the absence of source. Can you confirm?

[GermanCascales]

The error message does not prevent the function from running, the error is due to the absence of source. Can you confirm?

Actually not, this is hapenning even with a source in use (Liquidsoap 1.4.0 on Windows 10 x64).

Please check it out, because this is getting me totally crazy 😖

[smimram]

I ran your exact script and get

2020/03/02 13:01:25 [lang:3] status: ("HTTP/1.1", 200, "OK")
2020/03/02 13:01:25 [lang:3] headers: [("server", "nginx/1.17.7"), ("date", "Mon, 02 Mar 2020 12:01:25 GMT"), ("content-type", "text/html; charset=utf-8"), ("connection", "close"), ("x-frame-options", "SAMEORIGIN"), ("x-xss-protection", "1; mode=block"), ("x-content-type-options", "nosniff"), ("etag", "W/\"8e2f787a34b3ccfcbd8e5e14f5f85196\""), ("cache-control", "max-age=0, private, must-revalidate"), ("set-cookie", "_stream_pusher_session=d25pUU01SHlKMzlOeE9hL2U0c25RL1YwdXUxamNaZlZmdEszMjUyY2dTUkpqRnBNNVlGK0RtUmt3VTFjT21BSmRiQi9WNzdBakFwb0h0M0xhdUJDaFpVQ3dGRnJLTEtQTU5EYlJYSlNrZmE5WTZ1MGRRSE93SEdwaDBYUEh5ZXRKaVdqc2swT1Q4OWplUmc2VmZyRnlnPT0tLW1OUWQ3d3h4Rkp4cS9HTHFHWTV3Qnc9PQ%3D%3D--3a9d85c9d7beffcb0351f8e587abf8ec99f06ec1; path=/; secure; HttpOnly"), ("x-request-id", "a1ddfff6-e2d6-45d2-ba02-5c3d2ca6af51"), ("x-runtime", "0.006857"), ("strict-transport-security", "max-age=15552000"), ("vary", "Origin")]
2020/03/02 13:01:25 [lang:3] data: <!DOCTYPE html>
<html>
<head>
  <title>Streampusher: Start your own live streaming internet radio station</title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Start your own live streaming internet radio station with Streampusher.">
<meta name="keywords" content="radio, online radio, streaming, streampusher, broadcasting software, internet radio, music, radio automation" />

as output...

[toots]

This should be fixed in the latest master branch now!